网络认证、 授权和计帐系统及方法 技术领域 Network authentication, authorization and accounting system and method
本发明涉及网络运营和管理, 尤其是网络认证、授权和计帐系统 及方法。 The present invention relates to network operation and management, and particularly to a network authentication, authorization, and accounting system and method.
背景技术 Background technique
自网络诞生以来,认证( Authent ication ),授权( Authorizat ion ) 以及计帐(Account ing )体制 (AAA )就成为其运营的基础, 网络中 各类资源的使用, 需要由认证、 授权和计帐进行管理。 其中: Since the birth of the network, authentication, authorization, and accounting (AAA) systems have become the basis for its operation. The use of various resources in the network requires authentication, authorization, and accounting. For management. among them:
认证, 用户在使用网络系统中的资源时对用户身份的确认。 这一 过程, 通过与用户的交互获得身份信息(诸如用户名 -口令組合、 生 物特征获得等) , 然后提交给认证服务器 (AAA服务器 3); 后者对身 份信息与存储在数据库里的用户信息进行核对处理 ,然后根据处理结 果确认用户身份是否正确。 例如, GSM移动通信系统能够识别其网络 内网络终端设备的标志和用户标志。 Authentication is the confirmation of a user's identity when the user uses resources in the network system. In this process, identity information (such as username-password combination, biometrics, etc.) is obtained through interaction with the user, and then submitted to the authentication server (AAA server 3); the latter checks the identity information and user information stored in the database Check the processing, and then confirm whether the user identity is correct according to the processing result. For example, the GSM mobile communication system is able to identify the logos and subscriber logos of network terminal equipment in its network.
授权, 网络系统授权用户以特定的方式使用其资源, 这一过程指 定了被认证的用户在接入网絡后能够使用的业务和拥有的权限,如授 予的 IP地址等。仍以 GSM移动通信系统为例, 认证通过的合法用户, 其业务权限(是否开通国际电话主叫业务等)则是用户和运营商在事 前已经协议确立的。 Authorization. A network system authorizes users to use their resources in a specific way. This process specifies the services and rights that an authenticated user can use after accessing the network, such as the IP address granted. Taking the GSM mobile communication system as an example, the legitimate users who have passed the authentication have the service authority (whether to open the international caller service, etc.) established by the user and the operator beforehand.
计帐, 网絡系统收集、 记录用户对网络资源的使用, 以便向用户 收取资源使用费用, 或者用于审计等目的。 以互联网接入业务供应商
ISP为例, 用户的网络接入使用情况可以按流量或者时间被准确记录 下来。 Accounting, the network system collects and records the user's use of network resources in order to charge users for resource usage fees, or for auditing and other purposes. Internet access service provider An ISP is taken as an example. The user's network access usage can be accurately recorded by traffic or time.
一个网络用户要能够正常使用网络上提供的业务,需要拥有对网 络资源 (即网络^出设施)和网络服务两类资源的访问能力。 因此, 就存在两个层面的 AAA问题,网络资源层面由网络接入提供商验证用 户、 计帐和授权, 网络业务层次由业务供应商提供。 In order for a network user to be able to use the services provided on the network normally, he needs to have access to network resources (that is, network access facilities) and network services. Therefore, there are two levels of AAA. The network resource level is verified by the network access provider for users, accounting and authorization, and the network service level is provided by the service provider.
当前的网络上存在两类业务, 第一类是普通数据业务, 如 Web访 问、 FTP (文件传输协议)和电子邮件等, 这类业务由业务提供商免 费提供(通过广告来获得收益或者是组织内使用), 相应地, 对于网 络接入提供者来说, 计帐模式基本上是按照流量、 时长或者二者结合 的方式, 用户身份验证是在网络的边缘通过网络基础设施提供者的 There are two types of services on the current network. The first type is general data services, such as Web access, FTP (File Transfer Protocol), and e-mail. These services are provided free of charge by service providers (receiving revenue through advertising or organization). Internal use). Correspondingly, for network access providers, the accounting mode is basically based on traffic, duration, or a combination of the two. User authentication is performed at the edge of the network through the network infrastructure provider.
AAA设施完成, 同时不存在针对业务的身份验证、 授权和计帐问题。 这类业务一般对网络的服务质量(QoS )要求比较低, 网络采用尽最 大努力传送的方式转发数据就能够满足要求,业务同网络的耦合度较 低, 网络基础设施供应商通过向用户收取接入费即可。对于业务提供 商, 可以通过收取广告费用、在业务提供场所验证计帐或为本组织提 供服务来补偿业务提供所需要的成本。 The AAA facilities are completed without the problems of authentication, authorization and accounting for the business. This type of service generally has low requirements for the quality of service (QoS) of the network. The network can meet the requirements by forwarding data with the best effort transmission method. The coupling degree of the service to the network is low. The fee is sufficient. For service providers, the cost of providing the business can be reimbursed by collecting advertising costs, verifying the accounting at the place where the business is provided, or providing services to the organization.
网络上的第二类业务是需要服务质量(QoS )保证的业务, 如 IP Phone, NGN (下一代网络)、 视频会议、 网上广播 /电视和 VoD (视频 点播)等, 这类业务要求网络提供不同等级的 QoS保护, 否则业务便 不能正常开展。 因为对网络资源的特殊要求, 所以开展这类业务需要 网络接入提供商的配合。 目前网络上开展这类业务的基本模式是, 建
立一个独立的网络, 该网絡只提供这类业务, 并且将业务和网络的接 入放到一起, 如 VoIP ( IP承载语音)。 The second type of services on the network are those that require quality of service (QoS) guarantees, such as IP Phone, NGN (Next Generation Network), video conferencing, Internet radio / TV, and VoD (Video on Demand). These services require the network to provide Different levels of QoS protection; otherwise, services cannot be developed normally. Because of the special requirements for network resources, the development of such services requires the cooperation of network access providers. At present, the basic mode of conducting such services on the Internet is to build Establish an independent network that only provides this type of service, and put the service and network access together, such as VoIP (Voice over IP).
目前网络上的 AAA技术基本上采用 RADIUS协议 (远程拨号用户接 入协议)作为后端协议 (网络接入服务器( NAS ) 2和 AAA服务器 3之 间的协议), 而前端协议 (用户设备和 AS间的协议 )根据接入技术 采用相应的技术, 如在以太网和 WLAN (无线局域网)中使用 802. lx。 其中, 目前的 AAA框架结构如图 1所示: 接入服务器 1 (即 NAS )收 到来自用户设备 1的连接请求时, 会将请求信息封装成 AAA服务器 3 支持的协议消息,发送给 AAA服务器 3。再经过多次用户设备 1到 AAA 服务器 3之间的交互, AAA服务器 3将允许合法用户接入的指示发送 给接入服务器 2。 这样, 被授权的用户设备 1就可以访问网络 4了。 At present, the AAA technology on the network basically uses the RADIUS protocol (Remote Dial-up User Access Protocol) as the back-end protocol (the protocol between Network Access Server (NAS) 2 and AAA Server 3), and the front-end protocol (User Equipment and AS Protocol) according to the access technology, such as the use of 802.1x in Ethernet and WLAN (Wireless Local Area Network). The current AAA framework structure is shown in Figure 1: When the access server 1 (that is, the NAS) receives a connection request from the user equipment 1, it encapsulates the request information into a protocol message supported by the AAA server 3 and sends it to the AAA server. 3. After multiple interactions between the user equipment 1 and the AAA server 3, the AAA server 3 sends an instruction to allow a legitimate user to the access server 2. In this way, the authorized user equipment 1 can access the network 4.
上面的方案中, 对于第一类业务, 网络本身不能对业务本身进行 控制, 只能控制接入。对于笫二类业务的业务访问控制同接入控制是 合一的, 接入服务器 1既是网络接入的 EP (增强点, 执行接入控制 的设备),也是业务接入的 EP,因此网络上能够开展的业务种类有限, 并且如果需要在网络上开展新的第二类业务,就必须升级接入服务器 2和 AAA服务器 3, 如 VoIP的情况。 In the above solution, for the first type of service, the network itself cannot control the service itself, but can only control access. For type II services, the service access control is integrated with the access control. The access server 1 is both an EP (enhanced point, a device that performs access control) for network access, and an EP for service access. The types of services that can be carried out are limited, and if new second-type services need to be carried out on the network, the access server 2 and the AAA server 3 must be upgraded, as in the case of VoIP.
另外一种可能的方案是业务和网络的接入完全分开,业务提供商 和网络接入提供商分别有自己的 AAA服务器 3和设施,用户身份验证、 授权和计帐是分开的。 Another possible solution is that the service and network access are completely separated. The service provider and the network access provider have their own AAA server 3 and facilities, respectively. User authentication, authorization, and accounting are separated.
因为网络和业务完全分离, QoS的保证存在一定的困难。 另外用 户需要维护多套身份信息, 网络上也存在多个 AAA设施, 使用的方便
性受到损害。 尤其是网络接入提供商和业务提供商不是一个单位, 结 算就更不方便了。 Because the network and services are completely separated, there are certain difficulties in guaranteeing QoS. In addition, users need to maintain multiple sets of identity information. There are also multiple AAA facilities on the network, which is convenient to use. Sexual damage. In particular, the network access provider and the service provider are not a unit, and the settlement is even more inconvenient.
发明内容 Summary of the Invention
本发明解决的问题是提供一种网络认证、 授权和计帐系统及方 法, 避免已有网络设备的限制, 同时保证服务盾量、 方便计帐。 The problem solved by the present invention is to provide a network authentication, authorization and accounting system and method, which avoids the limitation of the existing network equipment, and at the same time guarantees the amount of service shield and facilitates accounting.
为解决上述问题, 本发明网络认证、 授权和计帐系统, 包括: 用户设备, 用户通过用户设备与网络建立连接; To solve the above problems, the network authentication, authorization, and accounting system of the present invention includes: user equipment, and the user establishes a connection with the network through the user equipment;
接入服务器, 与用户设备相连接, 并将用户设备接入网络; AAA服务器, 与接入服务器连接, 同接入服务器一起完成访问网 络的用户验证、 授权和计帐; The access server is connected to the user equipment and connects the user equipment to the network; the AAA server is connected to the access server and completes user authentication, authorization, and accounting for accessing the network with the access server;
业务服务器, 与接入服务器连接, 提供具体业务, 并与 AAA服务 器交互验证和授权信息, 与用户设备交互业务服务; A business server, which is connected to the access server, provides specific services, and interacts with the AAA server to authenticate and authorize information, and exchanges business services with user equipment;
业务计帐服务器, 与业务服务器连接, 同业务服务器一起完成用 户业务资源使用的计帐, 同时将计帐数据发送给 AAA服务器。 The business accounting server is connected to the business server, completes the accounting of the user's business resources with the business server, and sends the accounting data to the AAA server.
其中,接入服务器能感知服务质量, 而 AAA服务器综合接入计帐 数据和业务计帐数据。 Among them, the access server can sense the quality of service, and the AAA server integrates the access accounting data and business accounting data.
此外, 业务计帐服务器和 AAA服务器是一个设备; 业务服务器是 完成一种业务的一系列设备并存储业务服务器存储业务资源使用状 况记录; 用户设备可以是计算机、 手机、 电话、 个人数字助理。 In addition, the business accounting server and the AAA server are one device; the business server is a series of devices that complete a business and stores the service resource usage status records of the business server; the user device can be a computer, a mobile phone, a telephone, or a personal digital assistant.
相应地, 本发明网络认证、 授权和计帐方法包括以下步骤 a 网络接入请求步驟, 用户登录用户设备, 发送网络接入请求; b 验证、 授权步骤, AAA服务器同接入服务器根据用户身份信息
完成用户身份验证, 相应用户设备被授权或被拒绝接入网络: c 业务接入请求步骤, 被授权接入网络的用户设备向业务服务器 发出业务接入请求, 该业务接入请求包含有用户身份信息; Correspondingly, the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step, where a user logs in to a user equipment, and sends a network access request; b authentication and authorization steps, the AAA server and the access server according to user identity information After the user identity verification is completed, the corresponding user equipment is authorized or denied access to the network: c service access request step, the user equipment authorized to access the network sends a service access request to the service server, and the service access request includes the user identity information;
d 业务确认、授权步骤,业务服务器通过业务计帐服务器查询 AAA 服务器所存储的识别信息, 确认用户身份和相应的业务使用权限, 如 果识别信息与用户身份信息及相应的业务使用权限相匹配, 则业务服 务器接受接入请求并授权开始业务交互, 否则则拒绝该项业务服务; e 业务计帐步骤, 业务服务器将该用户的业务资源使用状况记录 送给业务计帐服务器,该业务计帐服务器根据业务资源使用状)兄记录 得出计帐数据; d Business confirmation and authorization steps. The business server queries the identification information stored in the AAA server through the business accounting server to confirm the user identity and corresponding business use rights. If the identification information matches the user identity information and corresponding business use rights, then The business server accepts the access request and authorizes the start of business interaction, otherwise the business service is rejected; e Business accounting step, the business server sends the user's business resource usage status record to the business accounting server, and the business accounting server Business Resource Usage Status) Brother records to get accounting data;
f AAA服务器获得业务计帐数据, 并与接入计帐数据综合。 与现有技术相比, 本发明具有以下优点: f The AAA server obtains the business accounting data and integrates it with the access accounting data. Compared with the prior art, the present invention has the following advantages:
1.本发明将业务服务器和接入服务器分离, 能够让网络上根据需 要增加各种业务类别, 但是不需要对网络上已经存在的设备进行升 级, 方便了网絡上业务的开发和部署; 1. The present invention separates the service server and the access server, which enables various service categories to be added on the network as needed, but does not require upgrading existing equipment on the network, which facilitates the development and deployment of services on the network;
2.增加业务计帐服务器, 对网络资源的使用和业务资源的使用在 计帐上区分开对待, 并且通过在 AAA服务器和业务计帐服务器之间提 供数据通道, 将计帐结果数据综合起来考虑; 2. Increase the business accounting server. Use of network resources and business resources are treated separately in accounting, and by providing a data channel between the AAA server and the business accounting server, the accounting result data is considered together. ;
3.只使用一个用户登陆信息 (帐号 /密码), 一次身份验证就可以 访问网给上的各种业务, 并且能够统一计帐, 方便了用户使用网络和 业务;
4.方便了网络接入提供者对网络业务的控制能力, 提供了针对 QoS的计帐渠道。 3. Using only one user's login information (account / password), one identity verification can access various services on the network, and can be unified accounting, convenient for users to use the network and services; 4. It facilitates the network access provider's ability to control network services and provides accounting channels for QoS.
附图说明 BRIEF DESCRIPTION OF THE DRAWINGS
图 1现有网络认证、 授权和计帐系统示意图。 Figure 1 Schematic diagram of the existing network authentication, authorization and accounting system.
图 1本发明网络认证、 授权和计帐系统示意图。 FIG. 1 is a schematic diagram of a network authentication, authorization and accounting system according to the present invention.
图 3本发明网络认证、 授权和计帐方法流程图。 FIG. 3 is a flowchart of a network authentication, authorization and accounting method according to the present invention.
图 4是图 3的具体流程图。 FIG. 4 is a specific flowchart of FIG. 3.
图 5本发明网络认证、 授权和计帐方法中增加业务流程图。 具体实施方式 FIG. 5 is a flowchart of adding services in the network authentication, authorization and accounting method of the present invention. detailed description
请参照图 2所示, 本网络认证、 授权和计帐系统包括: 用户设备 1 , 用户通过用户设备与网络建立连接, 该用户设备 1 可以是计算机、 手机、 电话、 PDA (个人数字助理)等设备, 该用户 设备 1可以通过无线、 有线的方式 /技术连接到网络 4中来, 如 GPRS (通用 艮文无线系统)、 ADSL (非对称数据用户线)、 拨号上网、 WLAN 等; Please refer to FIG. 2, the network authentication, authorization and accounting system includes: user equipment 1, the user establishes a connection with the network through the user equipment, the user equipment 1 may be a computer, a mobile phone, a telephone, a PDA (personal digital assistant), etc. Equipment, the user equipment 1 may be connected to the network 4 by wireless or wired means / technology, such as GPRS (General Genwin Wireless System), ADSL (Asymmetric Data Subscriber Line), dial-up Internet access, WLAN, etc .;
接入服务器 2 , 与用户设备 1相连接, 能够通过无线、 有线的方 式 /技术为用户设备 1提供网络接入服务的网关, 如 GPRS、 ADSL, 拨 号上网、 WLAN等, 该接入服务器 2不需要感知业务, 但是要能够感 知 QoS (服务质量)。 接入服务器是否能够感知服务盾量为网络特性, 现有技术可以通过各种方式提供, 不再赘述; The access server 2 is connected to the user equipment 1 and is a gateway capable of providing network access services for the user equipment 1 through wireless or wired means / technology, such as GPRS, ADSL, dial-up Internet access, WLAN, etc. The access server 2 does not You need to be aware of the business, but be able to be aware of QoS (quality of service). Whether the access server can sense the amount of service shield is a network characteristic, and the existing technology can be provided in various ways, which is not described repeatedly;
AAA服务器 3 , 与接入服务器 2连接, 同接入服务器 2—起完成 访问网络 4的用户 r证、 授权和计帐, 及网络 4的接入;
业务服务器 5, 具体提供业务的服务器, 也可能是共同完成一种 业务的一系列设备, 与接入服务器 2连接, 并可以与 AAA服务器 3交 互验证和授权信息, 与用户设备 1交互业务服务, 此外, 业务服务器 5存储业务资源使用状况记录; The AAA server 3 is connected to the access server 2 and completes, together with the access server 2, the user certificate, authorization, and accounting for accessing the network 4, and the access of the network 4; The service server 5 is a server that specifically provides services. It may also be a series of devices that collectively complete a service. It is connected to the access server 2 and can interact with the AAA server 3 for authentication and authorization information. It also exchanges business services with the user device 1. In addition, the service server 5 stores a service resource usage status record;
业务计帐服务器 6 , 与业务服务器 5连接, 且同业务服务器 5— 起完成用户业务资源使用的计帐, 同时采用定期 /实时等方式将计帐 数据发送给 AAA服务器 3 , 且 AAA服务器 3综合接入计帐数据和业务 计帐数据,此外,业务计帐服务器 6和 AAA服务器 3可以是一个设备。 The business accounting server 6 is connected to the business server 5 and completes the accounting of the user's business resource together with the business server 5. At the same time, the accounting data is sent to the AAA server 3 in a regular / real-time manner, and the AAA server 3 is integrated The accounting data and the business accounting data are accessed. In addition, the business accounting server 6 and the AAA server 3 may be one device.
在上面的系统中, 用户申请网络接入及相关业务服务时, 需要先 登记注册,用户从用户设备 1界面输入为登录信息(如:名称、帐号、 密码等),而网络 4根据用户登记注册给予用户一个合法访问的身份。 网络 4对用户身份的验证,基于用户的身份信息与网络存储的识别信 息相比较是否匹配来验证,其中用户身份信息包括登录信息及其属性 附加信息 (如身份 ID、 计算机、 位置、 访问权限等)。 在本系统中, 网络接入的验证和计帐同现有的 AAA机制和过程相同。 In the above system, when users apply for network access and related business services, they need to register first. The user enters login information (such as name, account number, password, etc.) from the user device 1 interface, and network 4 registers according to the user registration. Give users a legitimate access identity. Network 4 verifies user identity based on whether the user's identity information matches the identification information stored on the network to verify whether the user identity information includes login information and additional information about its attributes (such as identity ID, computer, location, access rights, etc. ). In this system, the authentication and accounting of network access are the same as the existing AAA mechanism and process.
在业务接入控制中, 用户首先要出示身份信息, 该身份信息可能 是以 PKC/AC (公开密钥证书 /属性证书)、令牌、委任状(Credent ia l ) 等形式, 并且在网络接入时已经得到 AAA服务器 3的确认 /验证, 业 务服务器 5通过业务计帐服务器 6查询 AAA服务器 3来确认用户身份 和授权信息, 并接入和授权给用户业务的使用。 In business access control, users must first present identity information, which may be in the form of PKC / AC (Public Key Certificate / Attribute Certificate), token, credential (Identity Certificate), etc. The AAA server 3 has been confirmed / verified at the time of entry. The service server 5 queries the AAA server 3 through the service accounting server 6 to confirm the user identity and authorization information, and access and authorize the use of the user's service.
请结合参照图 3、 4所示, 本发明网络认证、 授权和计帐方法包 括以下步骤:
a 网络接入请求步骤 30, 用户登录用户设备 1 , 发送网络接入请 求; Referring to FIG. 3 and FIG. 4, the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step 30, the user logs in to user equipment 1, and sends a network access request;
b 验证、 授权步骤 31 , AAA服务器 3同接入服务器 2根据用户身 份信息一起完成用户身份验证,相应用户设备 1被授权或被拒绝接入 网络 4: b. Step 31 of authentication and authorization. The AAA server 3 and the access server 2 complete user authentication based on the user identity information. The corresponding user equipment 1 is authorized or denied access to the network 4:
接入服务器 2收到接入请求, 向 AAA服务器 3发送验证请求; AAA服务器 3验证用户身份后, 向接入服务器 1发送验证反应; 接入服务器 2收到验证反应后向用户设备 1发送接入反应,用户 设备 1被授权或被拒绝接入网络。 After receiving the access request, the access server 2 sends an authentication request to the AAA server 3. After the AAA server 3 verifies the identity of the user, it sends an authentication response to the access server 1. After receiving the authentication response, the access server 2 sends an access response to the user device 1. In response, the user equipment 1 is authorized or denied access to the network.
c 业务接入请求步驟 32,用户使用网上的某项业务时,被授权接 入网络的用户设备 1向该项业务的业务服务器 5发出业务接入请求, 该业务接入请求包含有用户身份信息; c Service access request step 32. When a user uses a service on the Internet, the user equipment 1 authorized to access the network sends a service access request to the service server 5 of the service, and the service access request includes user identity information. ;
d 业务确认、 授权步骤 33, 业务服务器 5通过业务计帐服务器 6 查询 AAA服务器 3所存储的识别信息,确认用户身份和相应的业务使 用权限, 如果识别信息与用户身份信息及相应的业务使用权限相匹 配, 则业务服务器 5接受接入请求并授权开始业务交互, 否则则拒绝 该项业务服务。 d. Service confirmation and authorization step 33. The service server 5 queries the identification information stored in the AAA server 3 through the service accounting server 6 to confirm the user identity and corresponding service usage rights. If the identification information and user identity information and corresponding service use rights If they match, the service server 5 accepts the access request and authorizes the start of business interaction, otherwise it rejects the business service.
其中, 业务计帐服务器 6可以独立确定业务使用权限, 但是用户 身份验证仍旧由 AAA服务器 3最终完成。 Among them, the service accounting server 6 can independently determine the service use right, but the user identity verification is still completed by the AAA server 3 finally.
业务确认、 授权步骤中除了业务接入请求 /验证外, 还可以包括 业务使用请求 /验证, 即根据业务资源状况和该用户的身份, 确定该 用户使用该业务的具体权限。
e 业务计帐步骤 34,在业务交互过程中或业务交互完成业务服务 器 5将该用户的业务资源使用状况记录送给业务计帐服务器 6 , 该业 务计帐服务器 6 (具有常用的计帐软件即可)根据业务资源使用状况 记录计算业务费用, 得出计帐数据; In addition to the service access request / verification, the service confirmation and authorization steps may also include a service use request / verification, that is, to determine the specific authority of the user to use the service according to the status of the service resources and the identity of the user. e business accounting step 34, during the business interaction process or business interaction completed business server 5 sends the user's business resource usage status record to the business accounting server 6, the business accounting server 6 (with commonly used accounting software i.e. Yes) Calculate business expenses based on business resource usage status records, and get accounting data;
f AAA服务器获得业务计帐数据 35 ,并综合接入和业务计帐数据。 业务计帐服务器 6定期或事件驱动地将计帐数据发给 AAA服务器 3, 或者 AAA服务器 3定期或事件驱动地查询业务计帐服务器 6来获得计 帐数据。 f The AAA server obtains business accounting data 35 and integrates access and business accounting data. The business accounting server 6 sends the accounting data to the AAA server 3 periodically or event-driven, or the AAA server 3 queries the business accounting server 6 periodically or event-driven to obtain the accounting data.
网络接入提供商作为对用户的唯一接口同用户协商业务 /网络使 用和收费事宜,并和业务提供商可以协商计帐数据的使用以及费用分 配方式。 当业务提供商不同时, 由 AAA服务器 3和业务计帐服务器之 间的协议来确定,业务计帐服务器 6传递给 AAA服务器 3的计帐数据 有业务类型编码 ,这个计帐数据中也应该包括业务提供商名称 /编号、 业务资源使用状况等。 The network access provider, as the only interface to the user, negotiates business / network use and charging matters with the user, and can negotiate with the service provider on the use of accounting data and the way the cost is allocated. When the service providers are different, it is determined by the agreement between the AAA server 3 and the business accounting server. The accounting data passed by the business accounting server 6 to the AAA server 3 has a service type code. This accounting data should also include Service provider name / number, service resource usage, etc.
请参照图 5所示, 业务提供商要增加新业务时增加业务的流程 a 步骤 50, 业务提供商根据新业务, 建设业务服务器 5和业务 计帐服务器 6 , 提供业务服务, 其中关于计帐, 业务提供商同网络接 入提供商谈判确定计帐数据的收集方式和业务收益的分割方式; b 步骤 51, 判断该业务是否为缺省业务, 若不是缺省业务, 则 用户向业务提供商申请业务使用, 并将数据 (包括用户身份识别信息 和使用权限, 用户身份就是网络接入提供商分配给用户的帐号)存储 在业务计帐服务器 6,若是缺省业务,对于对所有用户都提供该业务;
c 步骤 52 , 执行步骤 30-35, 用户使用用于网络接入的身份信 息(如帐号、 密码等)接入网络, 并使用该业务(也就是接入和业务 访问使用同一个 ID ) Referring to FIG. 5, a service provider adds a service when a new service is added. Step 50: According to the new service, the service provider constructs a service server 5 and a service accounting server 6 to provide business services. The service provider negotiates with the network access provider to determine the method of collecting accounting data and the method of dividing service revenue; b Step 51: Determine whether the service is the default service; if it is not the default service, the user applies to the service provider Business use, and store data (including user identification information and usage rights, user identity is the account assigned to the user by the network access provider) in the service accounting server 6, if it is the default service, it is provided to all users business; c Step 52, performing steps 30-35, the user uses the identity information (such as account number and password) for network access to access the network and uses the service (that is, the same ID is used for access and service access)
如果再增加其他业务, 也使用同样的过程(a- c ), 并且也使用用 于接入的身份信息(如帐号、 密码等)来使用业务(也就是多种业务 使用同一个 ID )。 这样, 只使用一个用户登陆信息(帐号 /密码), 一 次身份验证就可以访问网络上的各种业务, 并且能够统一计帐, 方便 了用户使用网络和业务。
If other services are added, the same process (a-c) is also used, and the identity information (such as account number, password, etc.) used for access is also used to use the service (that is, multiple services use the same ID). In this way, using only one user's login information (account / password), a single authentication can access various services on the network, and can be unified accounting, which facilitates users to use the network and services.